1 Timothy Pilgrim Deputy Privacy Commissioner Speech to Biometrics Institute Privacy in Australia: Challenges and Opportunities 27 May 2010 Amora Hotel Jamison, Sydney
1
Timothy Pilgrim
Deputy Privacy Commissioner
Speech to
Biometrics Institute
Privacy in Australia: Challenges and
Opportunities
27 May 2010
Amora Hotel Jamison, Sydney
2
Introduction
May I start by thanking the Biometrics Institute for this
opportunity to speak, and for Leanne’s warm introduction.
Our Office welcomes the commitment the Biometrics Institute
has just given to include representation from consumer
organisations and academia on the next review panel for the
Biometrics Institute Privacy Code. Our Office believes that
independent reviews of industry codes are critical to their
effectiveness.
I am very pleased to be able to present to an audience of people
so clearly at the forefront of biometric technology development
and use. As you would all understand, research and planning
is very important in achieving a project’s objectives. So, today I
will be talking to you about building privacy into projects
early. If you are going to do privacy right, you need to think
about privacy early and build it in from the start.
Like so many emerging technologies, biometric technologies
have the potential to improve our lives and offer great
3
opportunities. Many of you will be motivated by the goal of
providing society with modern, innovative solutions to tackle
difficult-to-solve problems.
But as you surge ahead along this path of innovation and
problem-solving, other important aspects need to be
considered as part of their development. And probably the
most important of these, particularly in the field of biometrics,
is privacy.
Now I would like to be clear about something; technology is
not the enemy of privacy. Technology can be privacy
enhancing. Privacy can be an enabler, not a blocker for
technology development. Our Office believes it is crucial that
there is a conversation about privacy and its relationship with
the evolution of biometric technologies. And this conversation
needs to happen now more than ever, as these technologies
continue to rapidly take hold in everyday transactions.
It is now that we have the best opportunity to make sure that
privacy is embedded in the design and operation of biometric
4
technologies. Tacking privacy protections on at the end is never
the best outcome. Last minute considerations can be costly and
complicated for agencies and organisations, and potentially less
effective in protecting individuals.
Today, I will emphasise two key messages. The first is that, for
biometric technologies to be successful, individuals need to be
able to trust that their privacy is not being eroded and, if
possible, being enhanced. Without that crucial ingredient of
trust, the industry in which you are all involved will struggle to
thrive. Without the buy-in of the society in which you are
operating, biometric technologies will not be able to produce
the genuine solutions they aim to provide.
And the second message is that, for biometric technologies to
flourish in a way that genuinely meets the community’s needs
and expectations, they need a nationally consistent regulatory
environment. I will speak more about this later.
But first, I’d like to talk a bit more about the role privacy should
play in the development and use of biometric technologies.
5
Biometric information and privacy
The way that governments and organisations handle biometric
information is something that many people, quite
understandably, feel very strongly about. This is because
biometric information is about a person’s physical
characteristics. When we collect biometric information from a
person, we are not just collecting information about that
person, but information of that person.
Biometric information cuts across both information privacy and
physical privacy. It can reveal sensitive information about us,
including information about our health, genetic background
and age, and most importantly, it is intrinsic to each of us.
The very nature of biometric information is one of its major
advantages in terms of its powers of identification. However,
this same attribute can also create significant privacy risks.
This is why developers and users of biometric technologies
always need to have one eye on the solution the technology is
being developed and used for, and the other eye on privacy
6
outcomes. If you don’t watch both, you will not be able to
achieve either.
It might be a good time to talk briefly about how privacy is
regulated in Australia.
The Privacy Act
I know that many of you will have a good knowledge of
privacy laws. However, I still think it’s useful to provide just a
quick Privacy 101 update – some of the most important things
you need to know about the current privacy regulatory
framework and the role of our Office.
The first thing to note is that the Privacy Act is mainly about
information or data protection – not about bodily or territorial
privacy.
The Privacy Act protects ‘personal information’, which means:
information or an opinion *…+, whether true or not, and
whether recorded in material form or not, about an
7
individual whose identity is apparent, or can be
reasonably ascertained, from the information or opinion.1
The way organisations and agencies handle biometric data is
only regulated by the Privacy Act to the extent that the data is
also ‘personal information’.
Second, it is important to realise that privacy, under the Privacy
Act, is not an absolute right. The Privacy Act recognises that
privacy needs to be balanced against other competing interests,
including the desirability of the free flow of information and
the recognition of the right of government and business to
achieve their objectives in an efficient way. The Act is about
balancing a range of interests, and that is the way our Office
approaches its responsibilities.
Technology development
While the Privacy Act was designed to be technologically
neutral, and while our Office believes that it has been effective
in regulating flows of personal information since it was
1 Privacy Act 1988, s 6.
8
introduced in 1988, a great deal has changed in the way society
conducts itself since then. Rapid advances in technology over
the decades have presented significant challenges for
regulation of personal information-handling in Australia.
Developments in biometric technologies have been at the
forefront of this change. Back when the Privacy Act was
introduced in 1988, many biometric technologies were largely
confined to science fiction movies. Of course, a few, such as the
use of fingerprints in law enforcement, were well established.
However, the concept that biometric technologies could
become part of our everyday consumer transactions was almost
unthinkable.
A person standing in line at a bank branch in 1988 would
struggle to conceive a future where they could phone their
bank, be identified by voice recognition technology, and
transact from the comfort of their own home. Yet today, this is
a reality.2
2 NAB media release, NAB selects Telstra and Salmat VeCommerce to supply voice biometric solution,
22 June 2009, retrieved 19 May 2010 from:
9
A worker signing a time sheet as they arrived at work in 1988,
would struggle to conceive a time when they would be
required to have a fingerprint scanned to clock on. Yet for
some people today, this is a reality.
A young adult entering a nightclub in 1988 would struggle to
conceive a future where they would have to submit to a face
scan before being allowed entry. This would have been the
crazy plot of some futuristic television show. But today, this is
also a reality.
We are likely to continue to see increasing use of biometric
technologies like those I have just mentioned, as well as iris
scanning, palm scanning, and many others, in ways that we
cannot predict. Assuming that these new technologies are
developed in a way that is genuinely sensitive to privacy, this
need not necessarily be a bad thing.
http://www.nab.com.au/wps/wcm/connect/nab/nab/home/About_Us/8/5/14/NAB+selects+Telstra
+and+Salmat+VeCommerce+to+supply+voice+biometric+solution
10
Biometrics – neither good nor bad
What is interesting about biometric technology is that we tend
to hear both that it is good and bad for people’s privacy.
On one hand, we hear that biometric technologies enhance
privacy. For example, voice recognition technology is being
rolled out in some call centres to identify callers, leading to
more effective protection of clients’ personal information.
On the other hand, we hear that biometric technology has the
potential to invade our privacy. For example, in the film
Minority Report, individuals confront ubiquitous iris scanning
infrastructure and technology which allows their every activity
to be tracked.
How do such obviously divergent views on privacy and
biometrics coexist?
The answer is: because biometric technology is what we make
it. Biometric technologies are not inherently good or bad for
privacy, and privacy is not a blocker to the use of biometric
11
technologies. These technologies can become good or bad for
privacy depending on how they are designed, developed and
deployed.
This is one of the key messages that I would like to
communicate to you today. By considering projects involving
biometric technologies in the context of privacy, and by
building in privacy from the very beginning of the design
phase, we can ensure that biometric technologies do not
impinge on, but actually enhance, the privacy of individuals.
Enjoying the benefits of biometric technologies does not also
mean we have to give up other freedoms or rights. Biometric
technology has a lot to offer. Let’s take responsibility to
develop biometric systems carefully so that they achieve their
aims while protecting privacy.
How to build privacy in
Our Office encourages all agencies and organisations to
conduct Privacy Impact Assessments when commencing
projects that are likely to impact on privacy to design it in.
12
Earlier this month, in Privacy Awareness Week, we launched a
new version of our Privacy Impact Assessment Guide, catering
for both organisations and agencies.
Building privacy in from the start is cheaper and more effective
than considering it only as an afterthought. Most importantly,
projects and products that have been through a comprehensive
privacy planning process are likely to inspire the trust of the
community, have greater take-up and success, and so build
your organisation’s reputation.
The essential ingredient – trust
I have already mentioned trust a few times. Trust is a major
factor in consumers’ decision-making processes. In fact, in the
Community Attitudes to Privacy research commissioned by
our Office in 2007, 36 per cent of people stated that they had
decided not to deal with an organisation because of concerns
about how their personal information would be handled. This
shows that individuals’ perceptions about personal information
can often dictate their consumer decisions.
13
It may, or may not, surprise you to hear that government
departments actually enjoy a high level of trust from the
community. In fact, that trust has been growing. 73% of
people surveyed said they believed that government
departments were trustworthy when it came to how they
collected and used personal information. This is in comparison
to 64% in 2004 and 58% in 2001.
The numbers for private sector organisations were generally
lower that this, with 58% of people considering ‘financial
organisations’ to be trustworthy, 37% for retailers and 17% for
businesses selling goods over the internet.
No agency or organisation can ever afford to be complacent
about trust. They can lose this trust and their reputation
overnight if they sustain a major breach of personal
information or handle personal information poorly.
And as I mentioned, many consumers will vote with their feet
if they suspect an organisation may mishandle their personal
information. This statement is particularly relevant for
14
audience members here today, given that many consumers feel
that biometric data is even more sensitive than other forms of
personal information.
I should also note here that we are currently conducting several
investigations including an own motion investigation into the
scanning of driver’s licences and the separate collection of
biometrics like finger prints at night clubs and other
entertainment venues. This includes looking at the technology
and the processes involved. As these are ongoing
investigations I cannot discuss any details but it does illustrate
the importance of getting the technology and the business
practices right from the start.
I note with interest that the Biometrics Institute is aware of the
importance of community trust and confidence in an
organisation’s information-handling practices. The preamble
to the Biometrics Institute Privacy Code states: “only by adopting
and promoting ethical practices, openness and transparency can these
technologies gain widespread acceptance”.
15
For agencies, it is even more vital to be careful to incorporate
privacy principles into their operations as, in many cases,
individuals may not have a choice about whether or not they
participate in that agency’s systems or operations. A poorly
designed project incorporating biometric technology can cause
considerable embarrassment or worse for government and
serious repercussions for individuals.
Working with new technology is challenging, but it can also be
very rewarding. If you’re pioneering or implementing new
biometric technologies, or any new product or service that
impacts upon personal information, our Office encourages you
to rigorously consider any privacy implications that may arise.
By doing this, you place yourself ahead of the game, and are
more likely to inspire the trust and confidence of your
consumers and the community.
National consistency
There’s another issue that I would like to discuss with you
today. It is a little more technical, but is no less significant. It
relates to the array of laws and regimes that govern the
16
handling of personal information, including biometric
information, in Australia.
As most of you will be aware, the Privacy Act is ‘principles
based’. There are 11 Information Privacy Principles (IPPs) for
Australian Government agencies, and 10 National Privacy
Principles (NPPs) for business. These principles govern how
those agencies and businesses handle personal information,
including its collection, use and disclosure, security and
destruction.
However, the Privacy Act has some exceptions. For example, it
does not cover most small businesses. Nor does it cover state
government agencies. To bridge this gap, some Australian
states have introduced their own laws covering their public
sector.
Navigating the complex relationship between state and
national laws is a familiar story in our federation, but this is
little consolation for organisations and agencies trying to
understand their privacy obligations.
17
In our current regulatory environment, some users of biometric
information may fall outside of our Office’s jurisdiction, and
may not be required to comply with the Privacy Act.
Private sector organisations bound by the NPPs that perform
some functions under contract to a state or territory
government may have to comply with different laws for that
work. As well, organisations contracted to Australian
Government agencies may have to comply with the IPPs for
functions performed under the contract, and the NPPs for their
other functions. Confused? Well, it’s not surprising.
And what is the main implication for biometrics? With
different laws applying to different kinds of organisations and
agencies, we risk having different standards applied to
organisations and agencies conducting similar activities.
Information flows do not stop at state borders. Many large
organisations have a presence in some or all Australian states
and territories. In our modern, integrated economy, it makes
little sense and can be very expensive to require organisations
18
to handle information differently in different states and
territories, even if these differences are often only minor.
As I’m sure you can see, the system that is currently in place
can be quite complex. This is a challenge indeed. However,
I’m glad to be able to inform you that there are genuine
opportunities for improvements on the horizon.
Changes in the pipeline
As many of you will be aware, the Government has announced
its intention to make major changes to privacy law in Australia.
The Australian Law Reform Commission (ALRC) delivered a
report to the Government in May 2008 recommending 295
changes to Australia’s privacy framework. The Government
outlined its first stage response to the Report in October last
year, putting forward its position on 197 of the ALRC’s
recommendations.
19
The Government has said that it intends to release exposure
draft legislation reflecting these changes during 2010.3
A number of the recommendations that the Government has
decided to adopt will have significant, and hopefully positive,
impacts for the environment in which biometric technologies
must operate in Australia. I’d like to explain some of these to
you now.
Single set of privacy principles
As I mentioned earlier, in the Privacy Act, there are two sets of
privacy principles.
In what is probably the key reform proposal of all of the
ALRC’s 295 recommendations, the Government announced
that it sees the wisdom in replacing these two sets of principles
with a single set of principles to cover all entities that are now
covered by the NPPs or the IPPs. This means that, for the first
time, Australian Government agencies will have the same
3 Department of the Prime Minister and Cabinet website, retrieved 19 May 2010
http://www.dpmc.gov.au/privacy/alrc.cfm
20
obligations as private sector organisations covered by the Act
(of course with a few exceptions).
So what does this mean for users of biometric data? This
represents a significant step towards national consistency in the
regulation of privacy and biometrics. For the first time, one set
of rules will cover the biometrics field at a national level.
Biometric information as sensitive information
As I mentioned earlier, when we collect biometric information
from a person, we are not just collecting information about that
person, but information of that person. Recognising this fact,
the Government has accepted the ALRC’s recommendation
that biometric information be treated as ‘sensitive information’
under the Privacy Act.
As it stands, the Privacy Act regulates the handling of personal
information generally. The NPPs also contain extra protections
specifically dealing with what is termed ‘sensitive information’,
whereas the IPPs do not. The new, unified set of privacy
21
principles will apply the higher protections applying to
sensitive information to both agencies and organisations.
Sensitive information is a subset of personal information and
includes information about things such as:
racial or ethnic origin
religious beliefs or affiliations
criminal record information
health information.
The ALRC neatly explains the rationale behind treating
biometric information as ‘sensitive information’:
‘Biometric information shares many of the attributes of
information currently defined as sensitive in the Privacy
Act. It is very personal because it is information about an
individual’s physical self. Biometric information can
reveal other sensitive information, such as health or
genetic information and racial or ethnic origin. Biometric
22
information can provide the basis for unjustified
discrimination.’4
What this change will mean then is that organisations and
agencies will only be able to collect sensitive biometric
information about an individual in defined circumstances,
including where:
the individual has consented to the collection
the collection is authorised or required by or under law, or
the collection is necessary to prevent a serious threat to the
life, health or safety of any individual.
This change will give individuals greater confidence that their
sensitive biometric information will be appropriately treated by
both agencies and organisations. And as you know, confidence
is an important ingredient in building up trust.
4 Paragraph 3.170, Discussion Paper, Australian Law Reform Commission, Review of Privacy, 2007 (retrieved
on 19 May 2010 from http://www.austlii.edu.au/au/other/alrc/publications/dp/72/3.html)
23
This change will also ensure that both agencies and
organisations have consistent obligations regarding the way
they handle biometric information.
Technological neutrality
Importantly, the Government has also committed to ensuring
that the Privacy Act remains technologically neutral. What this
means is that the Act will continue to regulate information
handling without referring to specific technologies.
This is important because it gives the Privacy Act the flexibility
to be relevant to new technological realities as they present
themselves.
The current Privacy Act was introduced in 1988 – a time when
many people were only just buying their first microwave.
People did not have access to the internet, mobile phones and
an array of other technologies, including biometric
technologies, that are central parts of our lives today. The
principles that underpin the Privacy Act are even older, having
originated in the 1980 OECD Privacy Guidelines.
24
It is a testament to the success of the principle of technological
neutrality that the Privacy Act has been able to regulate
personal information flows in Australia for more than 20 years
without major difficulties.
Of course, technological neutrality does not mean that we bury
our heads in the sand when it comes to technological change.
Our Office believes that we can have technological neutrality of
privacy laws while still having laws that are technologically
relevant. We believe that technological neutrality allows the
Privacy Act to be adequately flexible to accommodate
technological change. What we don’t want is a privacy regime
that goes out of date every time technology changes!
Privacy codes
Going hand-in-hand with the concept of technological
neutrality is the proposal to expand the Privacy
Commissioner’s powers in relation to privacy codes.
25
At present, industry groups are able to propose the
introduction of a privacy code in a specific area. If the code has
protections equal to or stronger than the NPPs, the Privacy
Commissioner can approve it, and any organisation that opts in
to the Code must comply with it. Our Office can handle
complaints about breaches of privacy codes.
Many of you here today will of course be familiar with one
such code – the Biometrics Institute Privacy Code although our
Office notes, regrettably, the low take up of the Code by
businesses who are members of the Institute. We would
encourage you to look again at the benefit in signing up to the
higher privacy protections afforded to individuals by the Code,
such as demonstrating to your clients your commitment to
good privacy practice.
As well our Office welcomes the Institute’s recent development
of the Privacy Awareness Checklist which each member has
been asked to complete when renewing their membership.
26
Under the proposed changes to the Privacy Act, the Privacy
Commissioner will be able to request that an organisation or
industry body develop a Privacy Code binding specified
organisations. If an appropriate code is not developed, the
Commissioner will be able to develop and impose one.
Of course, our preferred approach is to allow industries to take
responsibility for their privacy obligations, and we are
confident that this will happen. The Office encourages your
industry to be proactive in its approach to privacy, and as I
mentioned before, to build privacy into projects, rather than
simply bolting it on.
However, this code-making power will allow our Office and
industry the flexibility to ensure that certain fields dealing with
specialised kinds of information and technology can be
regulated appropriately, and in more detail than in the Act if
necessary. This will give the Office the power to respond in a
timely manner to new technologies with specific privacy issues,
without needing a Privacy Act legislative change, which can be
a very time-consuming and uncertain process!
27
Consistent laws in states and territories
With all of these changes planned in the sphere of privacy law,
particularly with the use of biometric technologies, you could
be forgiven for feeling slightly intimidated. My advice to you
is not to be overwhelmed by the challenges that come with
change, because the developments unfolding before us actually
present great opportunities:
the opportunity to develop consistent privacy laws across
the public and private sectors in Australia
the opportunity for all of us in the room to get ahead of
the game, and start planning for the future
and, perhaps most significantly, the opportunity for
parliaments across Australia to take the new national laws
as a model, to simplify and make consistent information-
handling laws across all jurisdictions.
I refer again to the example I used earlier of some organisations
needing to be conscious of both the NPPs and the IPPs and
possibly even state privacy legislation. Our Office can see a
future where laws across the country relating to information
handling, including the regulation of biometric technologies,
28
will be aligned. With a simplified national privacy regime,
government and organisations would at the same time have a
reduced compliance burden and greater certainty of their
obligations.
Conclusion
So in concluding let me say again that there is nothing wrong
with acknowledging that biometric technologies have the
potential to offer our society many great benefits.
Equally though, done badly, the development and use of
biometric technologies has the potential to impinge on
individual privacy and thereby risk undermining community
confidence in such technologies. Once that community
confidence evaporates, so too does much of the potential that
might have made the technologies attractive in the first place.
This is why it is important to address and build in privacy now.
If, as I suspect it is, the ultimate goal of the work of this
audience is to devise, build and use innovative technological
29
solutions the work you do is too important to risk jeopardising
good results with poor privacy protections.
It is also vital that the environment in which these biometric
technologies are developing be simple and nationally
consistent to allow them to flourish in a considered, rather than
an ad hoc, fashion. By having a simple, clear, nationally
consistent environment, everybody knows where they stand,
and individuals can be more confident that agencies and
organisations will appropriately safeguard their privacy. In a
word, it will generate trust.
Thank you.